b'            Office of Inspector General Recommendations\n                         Not Yet Implemented\n                   by the Department of Education\n\n                           January 2001 through December 2007\n\n\n\n\n                                    January 31, 2008\n\n\n\n\nOur mission is to promote the\n                                                          U.S Department of Education\nefficiency, effectiveness, and\n                                                          Office of Inspector General\nintegrity of the Department\'s\n                                                          Washington, DC\nprograms and operations.\n\x0c                                   UNITED STATES DEPARTMENT OF EDUCATION\n                                                            OFFICE OF INSPECTOR GENERAL\n\n                                                                                                       THE INSPECTOR GENERAL\n\n\n\n\n                                                             January 31, 2008\n\n\n\n\nThe Honorable Henry Waxman\nChairman, Committee on Oversight and Government Reform\nU.S. House of Representatives\n2157 Rayburn House Office Building\nWashington, D.C. 20515-6143\n\n\nDear Chairman Waxman:\n\nIn response to your December 7, 2007, request for a list of recommendations made by the Office of Inspector\nGeneral to the U.S. Department of Education to reduce government waste and make federal education programs\nmore efficient and effective, attached please find our report that presents the results of our review.\n\nIf you have any questions, or require any additional information, please do not hesitate to contact myself or\nCatherine Grant, our Public Affairs Liaison at (202) 245-7023.\n\n                                                      Sincerely,\n\n                                                      /s/\n\n                                                      Thomas L. Sipes\n                                                      Acting Inspector General\n\n\nEnclosure\ncc: The Honorable Tom Davis, Ranking Member, Committee on Oversight and\n    Government Reform\n    The Honorable Margaret Spellings, Secretary U.S. Department of Education\n\n\n\n\n The Department of Education\'s mission is to promote student achievement and preparation for global competitiveness by fostering educational\n                                                   excellence and ensuring equal access.\n\x0c                 Office of Inspector General Recommendations\n            Not Yet Implemented by the U.S. Department of Education\n                             January 2001 through December 2007\n\n                                          Overview\n\nOn December 7, 2007, Chairman Henry Waxman, U.S. House of Representatives Committee on\nOversight and Government Reform, requested that the U.S. Department of Education\n(Department), Office of Inspector General (OIG), compile a list of recommendations made that\nhad not yet been implemented by the Department or by Congress. The information was\nrequested to include recommendations made from January 1, 2001, to present. This report is that\nresponse.\n\nOMB Circular A-50 (Circular), Audit Followup, require agencies to establish systems to assure the\nprompt and proper resolution and implementation of audit recommendations. The Circular provides\ndefinitions as follows:\n\n    \xc2\xb7   Audit Resolution \xe2\x80\x93 The point at which the audit organization and agency management or\n        contracting officials agree on actions to be taken on reported findings and recommendations.\n    \xc2\xb7   Corrective Action \xe2\x80\x93 Measures taken to implement resolved audit findings and\n        recommendations.\n\nThe Department tracks audit resolution and the implementation of corrective actions related to OIG\nproducts in its Audit Accountability and Resolution Tracking System (AARTS). The Office of the\nChief Financial Officer (OCFO) maintains this system, which includes input from OIG and responsible\nprogram officials. AARTS includes recommendation-level detail for all reports where the Department\nis directly responsible for implementing corrective action. The system includes less detailed information\non the status of individual recommendations made to non-federal entities, such as state educational\nagencies, local educational agencies, participants in the student financial assistance programs,\ncontractors, or grantees. As such, OIG\xe2\x80\x99s response to the December 7, 2007, request includes only those\nrecommendations for which the Department is directly responsible for implementing corrective action.\n\nFor the time period requested, we identified 241 OIG products that included 1,519 recommendations.\nOf that universe, the Department reported in AARTS that corrective actions had been completed for 207\nproducts (86 percent) and 1,363 recommendations (90 percent). The remaining 34 products included\n156 recommendations that the Department had not yet implemented. We did not identify any\nrecommendations issued prior to January 1, 2001, that the Department had not yet implemented.\n\nThe 156 recommendations that the Department had not yet implemented are presented in chronological\norder, with the most recently issued recommendations presented first. We have categorized the\nrecommendations, and included the recommendation-level detail in separate sections, as follows:\n\n   \xc2\xb7    Section A \xe2\x80\x93 Recommendations Issued within the Last Six Months presents recommendations\n        made from July 1, 2007, through December 31, 2007. These recommendations are not\n        considered overdue for resolution. A total of 9 products and 77 recommendations are included in\n        this section.\n\n\n                                                1\n\x0c    \xc2\xb7   Section B \xe2\x80\x93 Recommendations Issued January 1, 2007, through June 30, 2007, presents\n        recommendations made between six and twelve months ago. A total of 8 products and 19\n        recommendations are included in this section.\n\n    \xc2\xb7   Section C \xe2\x80\x93 Recommendations Issued Prior to January 2007 presents recommendations made\n        more than one year ago. A total of 17 products and 60 recommendations are included in this\n        section.\n\nA complete list of acronyms that are used throughout this report is provided in Appendix A, and a copy\nof the request from Chairman Waxman is provided in Appendix B.\n\nIn accordance with the request, this report presents only recommendations for which the Department has\nnot completed corrective actions. All corrective actions reported as completed prior to January 1, 2008,\nare excluded from this report. OIG has not confirmed the Department\xe2\x80\x99s representations that corrective\nactions have been completed.\n\nA summary schedule follows that lists the OIG products and the number of recommendations not yet\nimplemented. The appendices provide detail on each OIG product, including report title, report number,\ndate the report was issued, and link to the report on the OIG website. This information is followed by a\nbrief summary of the objectives of the review, the findings, and the recommendation(s) for which\ncorrective action has not been completed. Each recommendation is numbered to correspond with the\nspecific finding. For example, a recommendation numbered 1.1 signifies it relates to Finding 1.\nLikewise, a recommendation numbered 2.1 relates to Finding 2. If no recommendations are included for\na particular finding, all corrective actions related to that finding have been completed.\n\nUnder each recommendation is the current status (unresolved or resolved),1 the planned completion date\nas reported by the Department in AARTS, any estimated cost savings, and a brief description of the non-\nmonetary benefits of the recommendation. Except where noted, the Department did not provide\ninformation on any delays in implementing the recommendations included in this response. OIG has not\nconfirmed the Department\xe2\x80\x99s explanations.\n\nPeriodically, OIG evaluates the effectiveness of the Department\xe2\x80\x99s audit followup system and corrective\nactions taken to address audit recommendations. The last such audit was issued February 27, 2006, and\ncan be found on OIG\xe2\x80\x99s website at the following link: http://oigmis3.ed.gov/auditreports/a19e0017.pdf.\nThe Department stated it has implemented all corrective actions related to this audit.\n\n\n\n\n1\n  A \xe2\x80\x9cresolved status\xe2\x80\x9d indicates that the Department has proposed corrective actions and OIG has agreed that the proposed\nactions should adequately address the recommendation. The Department\xe2\x80\x99s planned date for completing corrective actions is\nalso provided. An \xe2\x80\x9cunresolved\xe2\x80\x9d status indicated that either the Department has not yet proposed corrective actions, or the\nDepartment and OIG have not agreed upon proposed corrective actions to address the recommendation. No planned\ncompletion dates are included for unresolved recommendations.\n\n\n\n                                                        2\n\x0c                 Office of Inspector General Recommendations\n            Not Yet Implemented by the U.S. Department of Education\n                             January 2001 through December 2007\n\n                                    Summary Schedule\n\n                                                                        Number of       Report\n                                                      Date Issued     Unimplemented      Page\n                    Report Title                                     Recommendations    Number\n\n               Reports Issued July 1, 2007, through December 31, 2007 (see Section A)\nFinancial Statement Audits \xe2\x80\x93 U.S. Department of        11/15/2007            5            5\nEducation for Fiscal Years (FY) 2007 and 2006\nFinancial Statement Audits \xe2\x80\x93 Federal Student Aid for   11/15/2007            5            8\nFY 2007 and 2006\nSystem Security Review of the Common Origination       09/26/2007            54           11\nand Disbursement System for FY 2007\nVirgin Islands Department of Education\xe2\x80\x99s Third Party   09/26/2007            1            22\nFiduciary Has Been Ineffective in Providing Fiscal\nOversight and Management of Department Funds\nInspection of Active Congressional Earmarks for FY     09/25/2007            1            23\n2005\nReview of Federal Student Aid\xe2\x80\x99s Monitoring of          09/07/2007            5            24\nGuaranty Agency Compliance with the Establishment\nof the Federal Fund and Operating Fund\nControls Over Contract Monitoring for Federal Student 08/24/2007             2            26\nAid Contracts\nDepartment of Education\xe2\x80\x99s Oversight of the Free        08/23/2007            2            27\nApplication for Federal Student Aid Verification\nProcess\nInformation Security Risk \xe2\x80\x93 Keylogger Vulnerability    07/02/2007            2            28\n\nSubtotal Unimplemented Recommendations                                       77\n\n                Reports Issued January 1, 2007, through June 30, 2007 (see Section B)\nEffectiveness of the Department\xe2\x80\x99s Financial            06/26/2007             6           29\nManagement Support System Oracle 11i Re-\nImplementation\nHurricane Education Recovery Act, Temporary            06/18/2007             3           32\nEmergency Impact Aid\nTermination of Department of Education Network         05/23/2007             3           34\nAccess for Separated Employees\nInformation Security Risk \xe2\x80\x93 Capturing of Internet      05/03/2007             1           36\nProtocol Addresses\nAudit of the Discretionary Grant Award Process in the  04/16/2007             1           37\nOffice of Postsecondary Education\n\n\n\n\n                                                 3\n\x0c                                                                         Number of      Report\n                                                       Date Issued     Unimplemented     Page\n                      Report Title                                    Recommendations   Number\nReview of the Department\xe2\x80\x99s Competitive Sourcing/ A-     02/28/2007           1            38\n76 Competition\nThe Department\xe2\x80\x99s Administration of Selected Aspects     02/22/2007             3          39\nof the Reading First Program\nConflicting Responsibilities Included in the EDNet      02/16/2007             1          41\nContract Performance Work Statement\nSubtotal Unimplemented Recommendations                                        19\n\n                        Reports Issued Prior to January 1, 2007 (see Section C)\nControls Over Excess Cash Drawdowns by Grantees          12/18/2006             2         42\nAudit of the Department of Education FY 2005 IT          11/29/2006             1         44\nEquipment Inventory\nFinancial Statement Audits \xe2\x80\x93 U.S. Department of          11/15/2006             1         45\nEducation for FY 2006 and FY 2005\nReview of Financial Partner\xe2\x80\x99s Monitoring and             09/29/2006            14         46\nOversight of Guaranty Agencies, Lenders, and\nServicers\nReview of the Department\xe2\x80\x99s Online Privacy Policy and     09/29/2006             1         50\nProtection of Sensitive Information\nReview of the Department\xe2\x80\x99s Incident Handing Program 09/28/2006                  5         51\nand Intrusion Detection System\nSystem Security Review of the Education Data Center      09/28/2006             5         53\nfor FY 2006\nThe Reading First Program\xe2\x80\x99s Grant Application            09/22/2006             5         55\nProcess\nTelecommunications Billing Accuracy                      02/01/2006             4         57\nAudit of the Department\xe2\x80\x99s IT Contingency Planning        01/31/2006             4         59\nProgram \xe2\x80\x93 Asset Classification\nDepartment Activities Relating to Consolidating Funds    12/29/2005             4         61\nin Schoolwide Programs Provisions\nDeath and Total and Permanent Disability Discharges      11/14/2005             1         63\nof FFEL and Direct Loan Program Loans\nReview of the Department\xe2\x80\x99s Incident Handling             10/06/2005             4         64\nProgram and EDNet Security Controls\nReview of the Department Identified Contracts and        09/01/2005             6         66\nGrants for Public Relations Services\nDepartmental Actions to Ensure Charter Schools\xe2\x80\x99          10/26/2004             1         68\nAccess to Title I and Individuals with Disabilities Act,\nPart B Funds\nFSA Audits on Administrative Stay                        05/04/2004             1         69\nContract Unliquidated Balances Converted from            08/29/2002             1         70\nDepartment\xe2\x80\x99s Payment Management System\n\nSubtotal Unimplemented Recommendations                                        60\n\nGrand Total Unimplemented Recommendations                                    156\n\n\n\n                                                 4\n\x0c                                Section A - Recommendations Issued\n                                     Within the Last Six Months\n                                 (July 1, 2007, through December 31, 2007)\n\n                                     Report/Recommendation Summary\nThis section presents those OIG work products released from July 1, 2007, through December 31, 2007.\nDuring this timeframe, OIG released 9 reports that included 98 recommendations for the Department to\nimplement. Of that universe, 9 reports include 77 recommendations that have not yet been\nimplemented. As these audits are less than six months old, OIG does not consider the recommendations\noverdue for resolution.\n\nReport Title:                        Financial Statement Audits \xe2\x80\x93 U.S. Department of Education\n                                      for Fiscal Year (FY) 2007 and FY 2006\nReport Numbers:                      A17H0003\nReport Issued:                       11/15/2007\nLink to Report:                      http://www.ed.gov/about/reports/annual/2007report/auditors.pdf\n\nObjective(s):\n\nThe objectives of the audit were to:\n\n1. Provide an opinion on whether the financial statements are fairly presented in all material\n   respects.\n2. Report on internal controls that are intended to ensure that transactions are properly recorded\n   to permit the preparation of reliable financial statements, maintain accountability for\n   safeguarding of assets, and ensure that data supporting performance measures are properly\n   recorded.\n3. Report on compliance with laws and regulations that could have a direct and material effect\n   on the financial statements.\n\nFinding(s):\n\n1.         Continued focus on credit reform estimation and financial reporting processes. This is a\n           modified repeat condition (MRC).2\n2.         Additional focus on program monitoring activities is needed.\n3.         Controls surrounding information systems need enhancement. (MRC)\n\n\n\n\n2\n    Modified Repeat Condition or MRC denotes that the recommendation was cited in a prior audit(s).\n\n\n                                                          5\n\x0cRecommendation(s) Not Yet Implemented by Department:\n\n1.1   Continue to improve the analytical tools used for the loan estimation process and in\n      periodic meetings of the Credit Reform Workgroup. Ensure that all analytical tools\n      reconcile with one another to allow for their use as detect controls for loan program cost\n      estimates.\n                   \xc2\xb7 Status - Unresolved.\n                   \xc2\xb7 Planned Completion Date - Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings - Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits - More accurate measures of and budgeting\n                       for the cost of federal loan programs, enhanced credit reform estimation\n                       process, strengthened internal control and tools, greater program\n                       performance insight, more accurate cohort-level data.\n\n1.2   Continue efforts to more fully implement cohort reporting with specific research on\n      whether balances in the Department\'s financial records are supported by estimates, by\n      cohort, from the Student Loan Model (SLM) and the newly developed cohort analysis tool,\n      and that remaining credit reform estimates for each cohort are appropriate in relation to the\n      remaining outstanding loans for such cohorts.\n                   \xc2\xb7 Status - Unresolved.\n                   \xc2\xb7 Planned Completion Date - Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings - Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits - More accurate measures of and budgeting\n                       for the cost of federal loan programs, enhanced credit reform estimation\n                       process, strengthened internal control and tools, greater program\n                       performance insight, more accurate cohort-level data.\n\n1.3   Document the consideration and ultimate resolution, in detail, of scenarios under which\n      deviation from patterns of prior cash flows may be appropriate in developing credit reform\n      estimates.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 More accurate measures of and budgeting\n                      for the cost of federal loan programs, enhanced credit reform estimation\n                      process, strengthened internal control and tools, greater program\n                      performance insight, more accurate cohort-level data.\n\n\n\n\n                                                 6\n\x0c2.1   Continue to re-assess oversight and monitoring practices to include a specific focus on the\n      risks of each program in connection with its evaluation and assessment of internal control.\n      This process should also address risks identified in other assessment, audit, and inspection\n      activities. The identified risks and the controls identified to mitigate such risks, both of\n      which should be thoroughly documented, serve as a starting point for identifying\n      appropriate improvement initiatives. The Department and Federal Student Aid (FSA)\n      should continue and refine efforts we were informed are underway to identify and\n      implement, as appropriate, additional changes needed in the approach to program\n      management, including procedures for performing program and monitoring reviews, and\n      reviews of payments to Federal Family Education Loan (FFEL) program lenders and\n      guaranty agencies prior to disbursement as appropriate.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Reduction in potential noncompliance\n                        with program requirements, reduction in deficiencies noted in the program\n                        oversight processes, improved program administration and performance,\n                        improved policies development and dissemination, better oversight over\n                        funds and disbursements.\n\n3.1   Continue efforts to address security and control weaknesses disclosed in audit reports or\n      identified in internal self-assessments with an emphasis on addressing the root cause of the\n      security or control weakness uniformly across the organization, which should decrease the\n      likelihood of a similar weaknesses being identified in future audit assessments and internal\n      self-assessments.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Protection of mission critical systems,\n                        improved and consistent security configuration across the organization,\n                        greater and enhanced oversight over contractor supported systems,\n                        stronger security procedures and detection systems, strengthened internal\n                        control, improved protection and safeguarding of personally identifiable\n                        information (PII).\n\n\n\n\n                                                7\n\x0cReport Title:         Financial Statement Audits \xe2\x80\x93 Federal Student Aid\n                      For FY 2007 and FY 2006\nIssue Date:           11/15/2007\nReport Number:        A17H0004\nLink to Report        http://www.ed.gov/about/offices/list/oig/auditreports/fy2008/a17h0004.pdf\n\nObjective(s):\n\nThe objectives of the audit were to:\n\n1. Provide an opinion on whether the financial statements are fairly presented in all material\n   respects.\n2. Report on internal controls that are intended to ensure that transactions are properly recorded\n   to permit the preparation of reliable financial statements, maintain accountability for\n   safeguarding of assets; and ensure that data supporting performance measures are properly\n   recorded.\n3. Report on compliance with laws and regulations that could have a direct and material effect\n   on the financial statements.\n\nFinding(s):\n\n1.    Continued focus on credit reform estimation and financial reporting processes is warranted.\n      (MRC)\n2.    Additional focus on program monitoring activities is needed.\n3.    Controls surrounding information systems need enhancement. (MRC)\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Continue to improve the analytical tools used for the loan estimation process and in\n      periodic meetings of the Credit Reform Workgroup. Ensure that all analytical tools\n      reconcile with one another to allow for their use as detect controls for loan program cost\n      estimates.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 More accurate measures of and budgeting\n                       for the cost of federal loan programs, enhanced credit reform estimation\n                       process, strengthened internal control and tools, greater program\n                       performance insight, more accurate cohort-level data.\n\n\n\n\n                                                8\n\x0c1.2   Continue efforts to more fully implement cohort reporting, with specific research on\n      whether balances in the Department\'s and FSA\'s financial records are supported by\n      estimates, by cohort, from the SLM and the newly developed cohort analysis tool, and that\n      remaining credit reform estimates for each cohort are appropriate in relation to the\n      remaining outstanding loans for such cohorts.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 More accurate measures of and budgeting\n                       for the cost of federal loan programs, enhanced credit reform estimation\n                       process, strengthened internal control and tools, greater program\n                       performance insight, more accurate cohort-level data.\n\n1.3   Document the consideration and ultimate resolution, in detail, of scenarios under which\n      deviation from patterns of prior cash flows may be appropriate in developing credit reform\n      estimates.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 More accurate measures of and budgeting\n                      for the cost of federal loan programs, enhanced credit reform estimation\n                      process, strengthened internal control and tools, greater program\n                      performance insight, more accurate cohort-level data\n\n2.1   Continue to re-assess oversight and monitoring practices to include a specific focus on the\n      risks of each program in connection with its evaluation and assessment of internal control.\n      This process should also address risks identified in other assessment, audit and inspection\n      activities. The identified risks and the controls identified to mitigate such risks, both of\n      which should be thoroughly documented, serve as a starting point for identifying\n      appropriate improvement initiatives. The Department and FSA should continue and refine\n      efforts we were informed are underway to identify and implement, as appropriate,\n      additional changes needed in the approach to program management, including procedures\n      for performing program and monitoring reviews, and reviews of payments to FFEL lenders\n      and guaranty agencies prior to disbursement as appropriate.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Reduction in potential noncompliance\n                        with program requirements, reduction in deficiencies noted in the program\n                        oversight processes, improved program administration and performance,\n                        improved policies development and dissemination, better oversight over\n                        funds and disbursements\n\n\n\n\n                                                9\n\x0c3.1   Continue efforts to address security and control weaknesses disclosed in audit reports or\n      identified in internal self-assessments with an emphasis on addressing the root cause of the\n      security or control weakness uniformly across the organization, which should decrease the\n      likelihood of a similar weaknesses being identified in future audit assessments and internal\n      self-assessments.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Protection of mission critical systems,\n                        improved and consistent security configuration across the organization,\n                        greater and enhanced oversight over contractor supported systems,\n                        stronger security procedures and detection systems, strengthened internal\n                        control, improved protection and safeguarding of PII.\n\n\n\n\n                                                10\n\x0cReport Title:                         System Security Review of the Common Origination\n                                      and Disbursement System for FY 2007\nIssue Date:                           9/26/2007\nReport Number:                        A11H0001\nLink to Report:                       Not posted, sensitive data3\n\nObjective(s):\n\nThe objective of the audit was to evaluate management, operational, and technical controls of the\nFSA system security program in accordance with the Federal Information Systems Management\nAct (FISMA). This included auditing the FSA-managed Common Origination and Disbursement\n(COD) system and the outsourced service provider that hosts the system.\n\nFinding(s):\n\n1.       FSA needs to improve controls over COD certification and accreditation (C&A) program.\n2.       FSA needs to improve controls over risk assessment.\n3.       FSA did not ensure the contractor documented roles, provided specialized training, and\n         developed formal documented procedures for implementing the security awareness and\n         training program.\n4.       FSA did not ensure configuration management controls were effective.\n5.       Improvements are needed for the COD contingency planning program.\n6.       FSA did not ensure effective reporting for the incident response and handling program.\n7.       FSA did not ensure adequate media protection controls.\n8.       FSA did not ensure adequate physical and environmental protection of the COD system.\n9.       FSA did not effectively monitor personnel security controls.\n10.      FSA did not ensure the contractor provided proper access controls.\n11.      FSA did not ensure the contractor provided proper audit and accountability controls.\n12.      FSA did not effectively monitor the contractor to ensure proper identification and\n         authentication controls.\n13.      FSA needs to improve controls for safeguarding PII.\n14.      FSA did not adequately monitor the COD system contractor.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1        Monitor and document the development, management, operation, and security of all\n           connections between the COD and interfacing systems.\n                \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n                \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Identification of risk to the Department,\n                  strengthened internal control.\n\n\n\n\n3\n    Reports containing sensitive data are not posted on the OIG website.\n\n\n                                                           11\n\x0c1.3   Ensure that all risk categorization frequency and intensity are commensurate with the\n      potential harm to the Department\xe2\x80\x99s operations, and all vulnerabilities previously\n      identified during the 2004 C&A process are mitigated.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/07/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n1.4   After an adequate review of all interconnected systems and assessment of the appropriate\n      risk categorization to all vulnerabilities, document and reflect the results in an updated\n      C&A package.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/07/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced monitoring of the development,\n                 management, operations, and security of connections between interfacing\n                 systems, strengthened internal control.\n\n2.1   Conduct a risk assessment that adheres to current federal requirements and identifies\n      current system vulnerabilities.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/07/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Supports organization business objectives or\n                 mission, identifies system potential threats and vulnerabilities, strengthened\n                 internal control, compliance with laws and/or regulations.\n\n2.2   Establish controls to ensure that risk assessments are conducted at least every three years\n      or when there is a major change in the COD environment, whichever occurs first.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/07/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Reduces risk to an acceptable level, ensures\n                 compliance with laws/regulations.\n\n2.3   Develop and implement a plan of action to mitigate/correct identified risks and\n      vulnerabilities.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/22/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk,\n                  strengthened internal control.\n\n\n\n\n                                              12\n\x0c3.1   Develop and document all roles and responsibilities for all personnel with access to COD,\n      in accordance with National Institute of Standards and Technology (NIST), Office of\n      Management and Budget (OMB) guidance, and contract requirements.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                 provides separation of duties and assists in establishing security awareness\n                 and training requirements.\n\n3.2   Maintain, update and disseminate the list of roles and responsibilities for all personnel.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensures that each person involved\n                 understands their roles and responsibilities and is adequately trained,\n                 strengthened internal control.\n\n3.3   Provide specialized training programs for firewall, Windows operating system, and\n      Intrusion Prevention System (IPS) administrators and any refresher training required to\n      perform their responsibilities.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                 increased system security.\n\n4.1   Develop an up-to-date configuration management plan to address all required elements.\n      The new plan should refer to the proper release of the COD system, and a current audit\n      plan.\n            \xc2\xb7 Status \xe2\x80\x93 Resolved.\n            \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/16/2008.\n            \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n            \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Established control for baseline\n                configurations, strengthened internal control.\n\n4.3   Ensure that the contractor establishes procedures for testing the IPS and firewall\n      configurations before implementing changes.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/15/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, strengthened\n                 internal control.\n\n\n\n\n                                               13\n\x0c4.4   Direct the contractor to securely configure servers, databases, and routers.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n4.5   Establish and implement an effective contract monitoring plan to ensure that the\n      contractor is fulfilling responsibilities under the contract, and the COD system has the\n      proper configuration management controls in place to protect Department information.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 11/01/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                  appropriate, and increased system security, reduced risk.\n\n5.1   Develop an up-to-date disaster recovery plan that includes providing details of changes\n      that may have occurred throughout the different system releases, ensuring the listing of\n      system names reflects the current inventory device name/host name/web address, and\n      documenting testing scenario details and testing criteria to provide a consistent baseline\n      of scenarios and criteria to judge the impact of the disaster recovery test and results.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                 increased system security, reduced risk.\n\n5.3   Develop and implement a plan of action to mitigate/correct identified risks and\n      vulnerabilities.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/29/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system availability and data\n                  security.\n\n6.1   Establish and implement an effective contract monitoring plan to ensure the contractor is\n      fulfilling the responsibilities under the contract, and that the COD system is properly\n      monitored for all suspicious activities and security incidents are properly reported in\n      accordance with Department and FSA incident response and handling programs.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/30/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                   appropriate and that proper resolutions are attained for incidents and/or\n                   suspicious activities, strengthened internal control.\n\n\n\n                                               14\n\x0c6.2   Direct the contractor to incorporate incident handling and response processes and\n      reporting as a part of the COD system security plan, in accordance with Department and\n      FSA guidance.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n7.2   Require that a review for media storage be included on the next physical security\n      assessment and each assessment performed thereafter.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure adequate media protection controls,\n                 increased system security, reduced risk.\n\n7.3   Affix external labels to removable information system media and information system\n      output indicating the distribution limitations, handling caveats, and applicable security\n      markings (if any) of the information for all tapes at the contractor\xe2\x80\x99s site containing COD\n      information.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/01/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, reduced risk.\n\n8.1   Perform an adequate periodic agency review of the physical access controls for COD,\n      including both the north and east data centers.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/29/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                 increased system security, reduced risk.\n\n8.2   Ensure that the contractor adequately manages all environmental controls and inspections\n      for the fire extinguishers, diesel storage tanks, and fire suppression cylinders.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/29/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure adequate environmental controls,\n                   increased system security, enhanced data reliability and availability.\n\n\n\n\n                                              15\n\x0c8.3    Correct all environmental control problems, including proper inspections, maintenance,\n       and signage requirements.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure adequate environmental controls and\n                   system data availability.\n\n9.4    Conduct a thorough annual review of the access control listing to verify whether\n       contractors accessing COD have the proper background investigation that is\n       commensurate with the level of harm that can be inflicted to the COD system.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                  appropriate, increased system and data security, reduced risk.\n\n9.5    Suspend or obtain interim clearances for system access for those personnel that do not\n       have complete, required background investigations, interim clearances, or security risk\n       assessments, until security investigations are completed.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                 appropriate, strengthened internal control, increased system security.\n\n10.1   Configure servers, IPS, routers, and firewalls to prevent disclosure of sensitive network\n       information, potential malicious attacks, and performance degradation.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Provide adequate controls over access, audit\n                  and accountability, identification and authentication, and PII, strengthened\n                  internal control.\n\n10.2   Ensure proper authorization for user accounts on servers, IPS, routers and switches.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n\n\n\n                                               16\n\x0c10.3   Ensure proper management of user rights, permissions, and system services.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced internal control over\n                 resources/actions, increased system security.\n\n10.4   Implement use of NIST checklists, so that the contractor can improve security on the\n       COD\xe2\x80\x99s servers, IPS, routers, and firewalls.\n             \xc2\xb7 Status \xe2\x80\x93 Resolved.\n             \xc2\xb7 Planned Completion Date \xe2\x80\x93 5/31/2008.\n             \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n             \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                 increased system security, reduced risk.\n\n10.5   Establish and implement an effective contract monitoring plan to ensure that the\n       contractor is fulfilling its responsibilities under the contract, and that the COD system is\n       properly configured to mitigate internal threats to the COD environment.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 11/30/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased effectiveness, strengthened internal\n                   control.\n\n11.1   Develop, maintain, and effectively enforce well-defined policy and procedures containing\n       roles and responsibilities and rules of behavior for firewall administrators.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/30/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n11.2   Correct the identified discrepancies on all firewalls.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n11.3   Properly configure network devices and servers to enforce separation of duties by\n       limiting system access in accordance with assigned roles and responsibilities.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/15/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Avoid potential conflicts of interest, allow\n                  appropriate monitoring of administrator activities, increased system security,\n                  reduced risk.\n\n\n                                                17\n\x0c11.4   Adhere to the Department\xe2\x80\x99s incident response program policy to configure IPS, routers,\n       and switches to detect and alert suspicious network activities.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure that access and modification of\n                  sensitive or critical files are closely logged and monitored to prevent\n                  inappropriate activities, increased system security, reduced risk.\n\n11.5   Communicate and effectively enforce audit policy and procedures to all employees.\n            \xc2\xb7 Status \xe2\x80\x93 Resolved.\n            \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n            \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n            \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control over\n               resources/actions, increased system security.\n\n11.6   Properly configure IPS, routers, and switches to collect, maintain, and protect audit logs.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 07/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n11.7   Properly maintain security logs and periodically review the logs for IPS, routers, and\n       switches, according to the Department\xe2\x80\x99s Information Assurance Security Policy.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 07/31/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations, and\n                  increased system security, reduced risk.\n\n11.8   Implement proper system audit configurations to detect suspicious activities and to\n       prevent unauthorized access.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 07/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n11.9   Correct audit configurations for routers, servers, and databases.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 07/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Facilitate the implementation of the audit and\n                  accountability policy and associated audit and accountability controls,\n                  strengthened internal control.\n\n\n                                                18\n\x0c12.1   Configure all servers and devices to ensure logging capability is properly configured to\n       record or identify unauthorized transactions or functions.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enable system administrators to isolate\n                   system anomalies and possible security breaches, increased system security,\n                   reduced risk.\n\n12.2   Effectively perform user account and password maintenance.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Prevent unauthorized access to system\n                  resources, increased system security, reduced risk.\n\n12.3   Remove unnecessary functions or accounts from the COD system.\n            \xc2\xb7 Status \xe2\x80\x93 Resolved.\n            \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n            \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n            \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Prevent loss or unauthorized disclosure of\n                sensitive Department information, strengthened internal control over\n                resources.\n\n12.4   Ensure that the contractor follows through to implement actions for logging and access\n       discrepancies.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                  appropriate, reduced risk.\n\n12.5   Require the contractor to revise the COD system security plan to comply with\n       Department directives.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations,\n                  increased system security, reduced risk.\n\n\n\n\n                                               19\n\x0c12.6   Schedule periodic reviews of the configuration to ensure that the controls are operating as\n       intended.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n13.1   Ensure that the contractor removes any unneeded data from the system.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk\n\n13.2   Ensure that the contractor safely stores all internal transaction logs.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Maintain control and prevent unauthorized\n                  access, increased system security.\n\n13.3   Ensure that the contractor preserves event logs.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 09/30/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure an audit trail can be reviewed to\n                  identify repeat attacks, increased system security.\n\n13.4   Ensure that the contractor establishes policies to safeguard backed-up data.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control over\n                  resources/actions.\n\n13.5   Ensure that the contractor handles disposal of privacy related data in a secure manner.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 08/15/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, strengthened\n                  internal control.\n\n\n\n\n                                               20\n\x0c13.6   Ensure that system policy describes actionable items related to privacy data.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure the Department identifies and\n                  provides information security protection commensurate with the risk and\n                  magnitude of the harm resulting from the unauthorized access, use, disclosure,\n                  disruption, modification, or destruction of information or information systems.\n\n13.7   Ensure that the recommendations in previous sections are evaluated as to how they\n       ultimately impact safeguarding PII, and take action commensurate with the risk and\n       magnitude of harm resulting from data compromise.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 09/30/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n14.2   Develop an effective contract monitoring plan to ensure that all aspects of the contract are\n       appropriately monitored and Department polices are followed, including the deficiencies\n       specifically noted in this report.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x9309/26/2008.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased assurance that actions are\n                   appropriate, reduced risk.\n\n14.3   Ensure the Contracting Officer (CO), Contracting Officer\xe2\x80\x99s Representative (COR), other\n       FSA staff, and contractors involved in contract management, meet to review the contract\n       monitoring plan and agree upon the methodology for monitoring the remainder of this\n       contract. Ensure all parties understand their responsibilities for contract monitoring.\n              \xc2\xb7 Status \xe2\x80\x93 Resolved.\n              \xc2\xb7 Planned Completion Date \xe2\x80\x93 10/31/2008.\n              \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n              \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased effectiveness and system security.\n\n14.5   Ensure that all future system contracts include requirements for documentation\n       supporting scans, tests, and analyses conducted, and decisions made on the risks and\n       mitigating factors considered, in support of the contractor\'s recommendations.\n               \xc2\xb7 Status \xe2\x80\x93 Resolved.\n               \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2009.\n               \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n               \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Ensure full support of work performed to\n                  ensure the Department\xe2\x80\x99s credibility with regard to any statements provided,\n                  increased system security.\n\n\n\n                                               21\n\x0cReport Title:                       Virgin Islands Department of Education\xe2\x80\x99s Third Party Fiduciary Has\n                                    Been Ineffective in Providing Fiscal Oversight and Management of\n                                    Federal Education Funds\nIssue Date:                         9/26/2007\nReport Number:                      L02H0011 (Alert Memorandum4)\n\nObjective(s):\n\nThe purpose of this alert memorandum was to inform the Department that the Virgin Islands\nDepartment of Education\xe2\x80\x99s (VIDE) third party fiduciary has been ineffective in providing fiscal\noversight and management of federal education funds.\n\nFinding(s):\n\n1.    VIDE third party fiduciary has been ineffective in providing fiscal oversight and\n      management of federal education funds.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1 Evaluate the lapsing of VIDE funds, numerous technical issues preventing full\n    implementation of the third party fiduciary arrangement, the fiduciary\xe2\x80\x99s serious internal\n    control and financial weaknesses, the fiduciary\xe2\x80\x99s security of confidential information and\n    records in accordance with all applicable laws, and the fiduciary\xe2\x80\x99s performance of its duties\n    in accordance with its contract requirements. These matters should be addressed prior to\n    the approval of the 2006 Consolidated Grant application.\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/29/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness,\n                      minimize future lapsed funds.\n\n\n\n\n4\n Alert Memoranda are prepared when a serious condition is identified that requires immediate Department\nmanagement action that is either outside the agreed-upon objectives of an on-going audit or inspection assignment\nor is identified while engaged in work not related to an on-going assignment when an audit or inspection report will\nnot be issued. Alert memoranda are not on the OIG website and are not publicly distributed.\n\n\n                                                         22\n\x0cReport Title:                      Inspection of Active Congressional Earmarks in\n                                   FY 2005\nIssue Date:                        9/25/2007\nReport Number:                     I13H0004 (Inspection Report5)\nLink to Report:                    http://www.ed.gov/about/offices/list/oig/aireports/i13h0004.pdf\n\nObjective(s):\n\nThe objectives of our inspection were to:\n\n1. Determine the total number and cost of congressional earmarks within the Department in FY\n   2005, including the cost of the earmark and related costs such as staff time and\n   administration.\n2. Determine the adequacy of the oversight conducted on congressional earmarks under the\n   Fund for the Improvement of Postsecondary Education (FIPSE) and the Fund for the\n   Improvement of Education (FIE.)\n3. Determine the overall impact of FIPSE and FIE congressional earmarks on advancing the\n   primary mission and goals of the Department.\n\nFinding(s):\n\n1.    Monitoring of earmarks within the Department is not consistent and the amount of time\n      devoted to monitoring earmarks may not be sufficient to hold earmark recipients\n      accountable.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Develop a methodology to ensure that earmark recipients are held accountable for the\n      Federal funds they receive.\n                  \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight.\n\n\n\n\n5\n  Inspections are analyses, evaluations, reviews or studies of the Department\xe2\x80\x99s programs. The purpose of an\ninspection is to provide Department decision makers with factual and analytical information, which may include an\nassessment of the efficiency and effectiveness of their operations, and vulnerabilities created by their existing\npolicies or procedures. They are performed in accordance with the 2005 President\xe2\x80\x99s Council on Integrity and\nEfficiency Quality Standards for Inspections appropriate to the scope of the inspection\n\n\n                                                       23\n\x0cReport Title:                Review of Federal Student Aid\xe2\x80\x99s Monitoring of Guaranty\n                             Agency Compliance with the Establishment of the Federal\n                             Fund and the Operating Fund\nIssue Date:                  9/07/2007\nReport Number:               I13H0001 (Inspection Report)\nLink to Report:              http://www.ed.gov/about/offices/list/oig/aireports/i13h0001.pdf\n\nObjective(s):\n\nThe objective of our inspection was to determine the adequacy of FSA\xe2\x80\x99s support for its\nconclusions concerning the establishment of the Federal Fund and the Operating Fund at the 27\nguaranty agencies not audited by OIG in 2003. The OIG audited nine guaranty agencies and\nreported the results in the 2003 OIG Audit, Oversight Issues Related to Guaranty Agencies\nAdministration of the Federal Family Education Loan Program Federal and Operating Funds.\n\nFinding(s):\n\n1.    The work performed by FSA on the 27 guaranty agencies not audited by OIG provides no\n      assurance that the Federal and Operating Funds were established in compliance with the\n      Higher Education Act of 1965, as amended (HEA).\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Perform onsite program reviews to examine supporting records for the establishment of the\n      Federal and Operating Funds at the 27 guaranty agencies not previously reviewed by OIG\n      to ensure that the funds were established in accordance with the HEA, including the\n      requirement for the use of the cash basis of accounting.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved monitoring and oversight.\n\n1.2   Ensure that the program reviewers have the requisite accounting knowledge to sufficiently\n      evaluate the establishment of the Federal and Operating Funds.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance, improved monitoring and oversight.\n\n\n\n\n                                              24\n\x0c1.3   Ensure that adequate resources are devoted to perform the program reviews, e.g., adequate\n      staff days and travel funds.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved monitoring and oversight.\n\n1.4   In performing the program reviews, identify, quantify, and report as erroneous payments\n      any lost revenue to the Federal Fund that resulted from the incorrect assessment of usage\n      fees.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost \xe2\x80\x93 Not quantified. Implementation of the recommendation\n                       will result in quantification of erroneous payments.\n                   \xc2\xb7 Other Non-monetary \xe2\x80\x93 Increased accuracy in reporting improper\n                       payments, enhanced program effectiveness and compliance, improved\n                       monitoring and oversight.\n\n1.5   In performing the program reviews, identify any improper purchases made by guaranty\n      agencies prior to the establishment of the Federal and Operating Funds, and require full\n      repayment to the Federal Fund.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation of the\n                       recommendation will result in quantification of funds to be repaid.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance, improved monitoring and oversight.\n\n\n\n\n                                                25\n\x0cReport Title:                 Controls over Contract Monitoring for Federal Student Aid\n                              Contracts\nIssue Date:                   8/24/2007\nReport Number:                A19G0006\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19g0006.pdf\n\nObjective(s):\n\nThe objectives of our audit were to determine whether FSA\xe2\x80\x99s contract monitoring process\nensures that contractors adhere to the requirements of the contract, and that FSA receives the\nproducts and services intended.\n\nFinding(s):\n\n1.    Improvements were needed in the monitoring of FSA contracts.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.3   Develop and implement a process to ensure acceptance/rejection of deliverables is\n      appropriately communicated by the COR to the CO. Ensure the CORs provide written\n      recommendations of deliverable acceptance/rejection to the COs.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 3/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                      enhanced contractor compliance with terms and conditions, increased\n                      strength of the Department\xe2\x80\x99s position in the case of any dispute.\n\n1.6   Ensure COR appointment letters are issued timely by the CO, and signed and returned\n      timely by the COR. Review all FSA contracts to ensure that all current CORs have\n      received an appointment letter and that a signed copy is included in the contract file.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2007.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                      enhanced understanding of COR responsibilities under the contract.\n\n\n\n\n                                                26\n\x0cReport Title:                 Department of Education\xe2\x80\x99s Oversight of the Free Application\n                              for Federal Student Aid Verification Process\nIssue Date:                   8/23/2007\nReport Number:                A09G0012\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a09g0012.pdf\n\nObjective(s):\n\nOur audit objective was to determine if the Department had adequate procedures for evaluating\nthe effectiveness of the Free Application for Federal Student Aid (FAFSA) verification process\nand ensuring that schools completed verification requirements for award year 2005-2006.\n\nFinding(s):\n\n1.    The Department could further enhance its procedures for ensuring schools complete\n      FAFSA verification requirements.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Conduct program reviews, provide technical assistance, or take other actions to ensure that\n      the schools we identified in our May 2, 2007, memorandum have completed verification\n      and have accurately reported the results to the Department.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance, improved monitoring and oversight.\n\n1.3   Require schools to report an S status to the COD system for a student whose application\n      was selected by Central Processing System for verification, but the verification was not\n      completed because the student was exempt under 34 C.F.R. \xc2\xa7 668.54(b).\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 09/30/2009.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                      data reliability/accuracy.\n\n\n\n\n                                               27\n\x0cReport Title:                       Information Security Risk \xe2\x80\x93 Keylogger Vulnerability\nIssue Date:                         7/02/2007\nReport Number:                      L11H0002 (Alert Memorandum)\n\nObjective(s):\n\nThe purpose of this alert memorandum was to bring attention to an increase of information\nsecurity risk associated with keylogger6 activities.\n\nFinding(s):\n\n1.    The Department did not always effectively identify potential compromised accounts.\n2.    The Department lacks a coordinated strategy to mitigate keylogger risks.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Develop and implement a plan to mitigate the risks presented by keyloggers. This plan\n      should include policies and procedures to ensure that all potentially compromised accounts\n      reported by the United States Computer Emergency Readiness Team are thoroughly\n      reviewed and appropriate actions taken.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Proactively implement appropriate\n                       information security controls to support the mission while managing\n                       evolving information security risks, strengthen internal control.\n\n1.3      Ensure that the Department\xe2\x80\x99s customer base is educated as to keylogger and other threats,\n         without increasing these threats, including modifying existing web pages to require the\n         user to read and "click-through" an informational warning.\n                     \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                     \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                     \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                     \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased awareness to identify threats,\n                        increased system security.\n\n\n\n\n6\n  Keyloggers are diagnostic tools that capture user\xe2\x80\x99s keystrokes, make screenshots within the specified time\nintervals, and save and record all activity (including passwords).\n\n\n                                                         28\n\x0c                    Section B \xe2\x80\x93 Recommendations Issued between\n                       January 1, 2007, through June 30, 2007\n\n                              Report/Recommendation Summary\n\nThis section presents those OIG work products released from January 1, 2007, through June 30, 2007.\nDuring this timeframe, OIG released 13 reports that included 52 recommendations for the Department to\nimplement. Of that universe, 8 reports include 19 recommendations that have not yet been\nimplemented.\n\nReport Title:                 Effectiveness of the Department\xe2\x80\x99s Financial Management\n                              Support System Oracle 11i Re-Implementation\nIssue Date:                   6/26/2007\nReport Number:                A11F0005\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a11f0005.pdf\n\nObjective(s):\n\nThe objective of our audit was to assess the effectiveness of the overall project management of\nthe Department\xe2\x80\x99s Financial Management Support System (FMSS) re-implementation. In\nparticular, we assessed: (1) the project\xe2\x80\x99s system development methodology to manage system\nrequirements; (2) the project\xe2\x80\x99s Earned Value Management System (EVMS) implementation to\ncontrol project scope, costs, and schedules; (3) aspects of contract monitoring, change control\nand risk management; (4) the Department\xe2\x80\x99s use of Independent Verification and Validation\n(IV&V) services; and (5) the Department\xe2\x80\x99s Information Technology (IT) capital asset\nmanagement and oversight practices.\n\nFinding(s):\n\n1.    The Department needs to improve project management planning, execution, and control.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Strengthen the March 2006 EVMS policy by developing EVMS monitoring procedures for\n      CORs, COs, and project managers, and for Investment Acquisition Management Services\n      (IAMS)/Contracts and Acquisitions Management (CAM) oversight.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n1.2   Modify Administrative Communication System (ACS) Directive, Office of the Chief\n      Financial Officer (OCFO): 2-108, to require a documented monitoring plan for all major\n      IT investments, commensurate with project risks (e.g., complexity, cost, length, lifecycle\n      stage); and make necessary adjustments to associated procedures.\n\n\n                                                29\n\x0c                   \xc2\xb7   Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7   Planned Completion Date \xe2\x80\x93 01/31/2008.\n                   \xc2\xb7   Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7   Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n1.3   Develop an IV&V services ACS Directive that establishes: (1) IV&V independence from\n      the project served; (2) documented disposition of significant or repeated IV&V findings;\n      and (3) periodic communication of IV&V findings to oversight bodies and project\n      stakeholders at all levels.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, strengthened\n                       internal control.\n\n3.1   Direct the Chief Financial Office (CFO) and Chief Information Officer (CIO) to work\n      jointly to coordinate CAM and IAMS oversight and monitoring functions, and to develop a\n      mandatory project and contract monitoring curriculum that focuses on: (a) establishing and\n      carrying out a comprehensive contract monitoring plan for major IT investments; (b)\n      EVMS compliance monitoring and reviewing a contractor\xe2\x80\x99s periodic status reports; and (c)\n      using EVMS variances and forecasts to mitigate project risks.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 07/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n5.1   Direct the Investment Review Board Chair, the CFO, and the CIO to jointly improve IT\n      acquisition and the IT Investment Management program to make oversight practices more\n      effective by making the Capital Planning and Investment Control (CPIC) \xe2\x80\x9cEvaluate\xe2\x80\x9d phase\n      applicable at the conclusion of any major system enhancements, and ensuring that CPIC\n      oversight functions are able to ascertain whether/verify that: (a) tangible investment\n      outcomes are established prior to capital investment approval; (b) the EVMS effectively\n      complies with all essential industry standard guidelines; (c) the project has provided\n      reliable performance results information to all decision-makers and stakeholders sufficient\n      for informed decision making; (d) the disposition of IV&V findings is adequate and risks\n      resulting from disposition are acceptable; and (e) project managers generally follow project\n      plans, departures are documented, and resulting risks are understood and acceptable.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 3/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control and project\n                        management.\n\n\n\n\n                                                30\n\x0c6.1   Direct the CIO to determine the feasibility and advisability of consolidating system\n      development infrastructures agency-wide and offering centralized expert support to\n      development projects.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/30/2009.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased efficiency and effectiveness,\n                      strengthened internal control.\n\n\n\n\n                                            31\n\x0cReport Title:                 Hurricane Education Recovery Act, Temporary Emergency Impact Aid\nIssue Date:                   6/18/2007\nReport Number:                L06H0008 (Alert Memorandum)\n\nObjective(s):\n\nDuring our audits of the Hurricane Education Recovery Act, Temporary Emergency Impact\nAid (EIA) at the Texas Education Agency (TEA) and the Louisiana Department of Education\n(LDE), we became aware of displaced students being counted in both states in the same\nquarter. The purpose of this alert memorandum was to bring our concerns to the Department\xe2\x80\x99s\nattention so as to expedite corrective measures regarding this issue. We are concerned that\nsimilar problems may be occurring in other states that received EIA funds.\n\nFinding(s):\n\n1.    Comparison of TEA and LDE databases identified duplicate student counts.\n2.    Comparison of displaced students in at least 10 states needed to determine duplicates.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Coordinate with TEA and LDE to determine the circumstances of the duplicate counts and,\n      where appropriate, determine the amount each state should refund due to the duplicate\n      student counts we identified.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93$799,500 in duplicate payments made.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                      compliance.\n\n2.1   At a minimum, take a sample of at least the 10 states that received the majority (91 percent)\n      of the EIA funding and compare between those states to determine whether additional\n      duplicate counting and duplicate EIA funding exists.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation of the\n                       recommendation will result in determination of any additional duplicate\n                       payments made.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance.\n\n2.2   Ensure collection of any amounts disbursed based on duplicate displaced student counts.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n\n\n\n\n                                                32\n\x0c\xc2\xb7   Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation of\n    Recommendation 2.1 above will result in determination of any additional\n    duplicate payments made.\n\xc2\xb7   Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n    compliance.\n\n\n\n\n                            33\n\x0cReport Title:                 Audit of the Termination of Department of Education Network\n                              Access for Separated Employees\nIssue Date:                   5/23/2007\nReport Number:                A19G0012\nLink to the Report:           http://www.ed.gov/about/offices/list/oig/auditreports/a19g0012.pdf\n\nObjective(s):\n\nThe objectives of our audit were to determine whether access to the Department\xe2\x80\x99s computer\nnetwork, Education Network (EDNet), was terminated timely for employees who separated from\nthe Department and, in cases where access was not terminated timely, to determine whether\nseparated employees accessed EDNet after their departure, and if so, assess the impact of that\naccess.\n\nFinding(s):\n\n1.    Improvements are needed in the Department\'s process for terminating access of separated\n      employees.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Review the Handbook for Information Assurance Security Policy, Information Technology\n      Security Controls Reference Guide, the Department\'s Directive on the Clearance of\n      Personnel for Separation or Transfer, and the EDNet System Security Plan and make\n      revisions, as necessary, to ensure consistency of guidance with regard to timeliness of\n      notification of separation, method of notification, and account termination. Consider\n      consolidating some of these documents, if feasible, to reduce duplication and confusion.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced use of resources, strengthened\n                        internal control, improved monitoring and oversight, enhanced protection\n                        of systems and data.\n\n1.2   Revise the clearance form to require Principal Office (PO) IT coordinators to certify that an\n      Account Termination Form has been completed and will be submitted to the Department\xe2\x80\x99s\n      Help Desk immediately upon the employee\'s separation from the Department.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                       monitoring and oversight, enhanced protection of systems and data.\n\n\n\n\n                                                34\n\x0c1.3   Amend the Department\'s policies and procedures, EDNet Access Control and Help Desk\n      Standard Operating Procedures, and the EDNet contract to establish consistent guidance on\n      the retention period for requests and other supporting documentation related to account\n      terminations, as well as archiving and purging procedures and timeframes.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n\n\n\n                                              35\n\x0cReport Title:                 Information Security Risk \xe2\x80\x93 Capturing of Internet Protocol\n                              Addresses\nIssue Date:                   5/03/2007\nReport Number:                L21H0012 (Alert Memorandum)\n\nObjective(s):\n\nThe purpose of this alert memorandum is to bring attention to a significant IT security risk with\nFSA\xe2\x80\x99s failure to capture the originating Internet Protocol (IP) addresses of users logging in to\nmajor FSA systems.\n\nFinding(s):\n\n1.    FSA did not capture the originating IP addresses of users logging in to major FSA systems.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Make the necessary changes to FSA systems that would require the capturing of every\n      user\'s IP address who logs in to the systems.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risk.\n\n\n\n\n                                                36\n\x0cReport Title:                 Audit of the Discretionary Grant Award Process in the Office\n                              of Postsecondary Education\nIssue Date:                   4/16/2007\nReport Number:                A19G0001\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19g0001.pdf\n\nObjective(s):\n\nThe objectives of our audit were to evaluate the effectiveness of the Office of Postsecondary\nEducation\xe2\x80\x99s (OPE) grant award process, and determine if FY 2005 awards were made to\nappropriately qualified entities.\n\nFinding(s):\n\n1.    OPE staff did not ensure grantees complied with OMB Circular A-133 audit requirements.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Ensure staff are aware of and screen for compliance with audit requirements prior to\n      making noncompeting continuation awards, as required.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 5/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness,\n                       improved monitoring and compliance.\n\n\n\n\n                                               37\n\x0cReport Title:                 Review of the Department\xe2\x80\x99s Competitive Sourcing/A-76 Competition\nIssue Date:                   2/28/2007\nReport Number:                I13G0004 (Inspection Report)\nLink to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13g0004.pdf\n\nObjective(s):\n\nThe objectives of our inspection were to:\n\n1.   Determine whether Human Resources Services is meeting the performance requirements in\n     the Letter of Obligation and the Agency Tender.\n2.   Determine whether Human Resources Services is meeting the cost savings identified in the\n     Letter of Obligation and Agency Tender.\n\nFinding(s):\n\n1.   The Department did not provide the Most Efficient Organization (MEO) with the resources\n     specified in the agreement.\n2.   The MEO does not generate adequate performance data to assess compliance with the\n     performance standards in the agreement.\n3.   OCFO has not monitored MEO compliance with the performance standards in the\n     agreement.\n4.   Neither OCFO nor the MEO has sought a modification to the agreement.\n5.   The Department is not meeting the cost savings identified in the agreement and is\n     overstating its cost savings to OMB and Congress.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1 Reconsider how to best provide the Department with the competed human resources\n    and training functions and determine whether the MEO should continue.\n                  \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced use of resources and\n                     management effectiveness.\n\n\n\n\n                                             38\n\x0cReport Title:                The Department\xe2\x80\x99s Administration of Selected Aspects of the\n                             Reading First Program\nIssue Date:                  2/22/2007\nReport Number:               A03G0006\nLink to Report:              http://www.ed.gov/about/offices/list/oig/auditreports/a03g0006.pdf\n\nObjective(s):\n\nThe objective of our audit was to determine whether the Department carried out its role in\naccordance with applicable laws and regulations in administering the Reading Leadership\nAcademies (RLA) and related meetings and conferences, the National Center for Reading First\nTechnical Assistance contract award process, and its website and guidance for the Reading First\nprogram.\n\nFinding(s):\n\n1.    Sessions at the Secretary\'s RLAs focused on a select number of reading programs.\n2.    The Secretary\'s RLA handbook and guidebook appeared to promote the Dynamic\n      Indicators of Basic Early Literacy Skills assessment test.\n3.    The Department did not adequately assess issues of bias and lack of objectivity.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Establish controls to ensure compliance with, and avoid the appearance of violating the\n      Department of Education Organization Act (DEOA) and No Child Left Behind Act of 2001\n      (NCLB) curriculum provisions, especially when organizing conferences where specific\n      programs of instruction are likely to be formally discussed or presented at Department\n      sponsored events.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                       program effectiveness and compliance.\n\n2.1   Establish controls to ensure the Department does not promote curriculum or create the\n      appearance that it is endorsing or approving curriculum in its conference materials and\n      related publications.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                        program effectiveness and compliance.\n\n\n\n\n                                              39\n\x0c3.1   Establish controls to ensure adequate assessments of bias and lack of objectivity for\n      individuals proposed to perform Department contract work are performed by the\n      Department and its contractors.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                       program effectiveness and compliance.\n\n\n\n\n                                             40\n\x0cAudit Title:                 Conflicting Responsibilities Included in the EDNet Contract\n                             Performance Work Statement\nIssue Date:                  2/16/2007\nReport Number:               L19H0006 (Alert Memorandum)\n\nObjective(s):\n\nThe purpose of this alert memorandum was to inform the Department of concerns regarding\nconflicting responsibilities in the EDNet contract Performance Work Statement.\n\nFinding(s):\n\n1.    The EDNet contract\'s Performance Work Statement included conflicting responsibilities\n      related to IT network security.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2   Establish additional monitoring and oversight, through use of the EDNet IV&V contractor\n      or other means, to ensure that the contractor is appropriately monitoring, detecting, and\n      reporting on network security.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 2/1/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight, enhanced\n                       network security.\n\n\n\n\n                                              41\n\x0c                         Section C \xe2\x80\x93 Recommendations Issued\n                                 Prior to January 2007\n                            (January 1, 2001, to December 31, 2006)\n\n                              Report/Recommendation Summary\nThis section presents those OIG work products released from January 1, 2001, through December 31,\n2006. During this timeframe, OIG released 219 reports that included 1,369 recommendations for the\nDepartment to implement. Of that universe, 17 reports include 60 recommendations that have not yet\nbeen implemented.\n\nReport Title:                 Controls over Excessive Cash Drawdowns by Grantees\nIssue Date:                   12/18/2006\nReport Number:                A19F0025\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19f0025.pdf\n\nObjective(s):\n\nThe objective of our audit was to determine whether the Department\xe2\x80\x99s controls identify and\nprevent excessive cash drawdowns by grantees.\n\nFinding(s):\n\n1.    Excessive drawdown reports did not effectively identify all potentially excessive cash\n      drawdowns.\n2.    Grants Policy and Oversight staff (GPOS) did not ensure POs monitored excessive\n      drawdowns.\n3.    Improvements are needed in use of payment flags to prevent inappropriate drawdowns.\n4.    The Department did not monitor formula grants through the excessive drawdown reports.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.3   Design additional fields in Grant Administration and Payment System to allow GPOS to\n      enter resolution information for potentially excessive drawdowns so that, if resolved, the\n      grants do not appear on future reports until the next threshold is reached.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2009.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced monitoring and compliance,\n                        improved use of resources.\n\n\n\n\n                                               42\n\x0c3.1   Develop and implement a method to communicate payment flag information, including the\n      reasons the flag was imposed or cleared, to all program offices responsible for monitoring\n      additional grants awarded to the same recipient.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2009.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced monitoring and compliance,\n                       improved use of resources.\n\n\n\n\n                                               43\n\x0cReport Title:                Audit of the Department of Education FY 2005 IT Equipment\n                             Inventory\nIssue Date:                  11/29/2006\nReport Number:               A19G0007\nLink to the Report:          http://www.ed.gov/about/offices/list/oig/auditreports/a19g0007.pdf\n\nObjective(s):\n\nThe objective of our audit was to evaluate the process and results for the FY 2005 IT equipment\ninventory.\n\nFinding(s):\n\n1.    The Department could not support the results reported for the FY 2005 IT Equipment\n      Inventory.\n2.    Contract management was not effective.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.3   Update and implement policy and procedures for the inventory reconciliation process,\n      including requirements that adequate records are maintained to support inventory\n      reconciliations, and that results are referred to PO managers for validation.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                        accuracy in reporting inventory results.\n\n\n\n\n                                               44\n\x0cReport Title:                 Financial Statement Audits \xe2\x80\x93 U.S. Department of Education\n                              for FY 2006 and FY 2005\nIssue Date:                   11/15/2006\nReport Number:                A17G0003\nLink to Report:               http://www.ed.gov/about/reports/annual/2006report/rssi-oai.pdf#page=7\n\nObjective(s):\n\nThe objectives of the audit were to:\n\n1. Provide an opinion on whether the financial statements are fairly presented in all material\n   respects.\n2. Report on internal controls that are intended to ensure that transactions are properly recorded\n   to permit the preparation of reliable financial statements, maintain accountability for\n   safeguarding of assets, and ensure that data supporting performance measures are properly\n   recorded.\n3. Report on compliance with laws and regulations that could have a direct and material effect\n   on the financial statements.\n\nFinding(s):\n\n1.    Continued focus on credit reform estimation and financial reporting processes is warranted.\n      (MRC)\n2.    Controls surrounding information systems need enhancement. (MRC)\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n2.1   Continue efforts to address security and control weaknesses disclosed in audit reports or\n      identified in internal self-assessments with an emphasis on addressing the root cause of the\n      security or control weakness, which should decrease the likelihood of a similar weaknesses\n      being identified in future audit assessments and internal self-assessments.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Protection of mission critical systems,\n                        improved and consistent security configuration across the organization,\n                        enhanced back-up capabilities, stronger security procedures and detection\n                        systems, strengthened internal control, improved protection, safeguarding\n                        PII, greater accountability for and safeguarding of computer inventory.\n\n\n\n\n                                                45\n\x0cReport Title:                      Review of Financial Partners\xe2\x80\x99 Monitoring and Oversight of\n                                   Guaranty Agencies, Lenders, and Servicers\nIssue Date:                        9/29/2006\nReport Number:                     A04E0009\nLink to the Report:                http://www.ed.gov/about/offices/list/oig/auditreports/a04e0009.pdf\n\nObjective(s):\n\nOur audit objective was to evaluate the adequacy of Financial Partners\'7 processes for monitoring\nguaranty agencies, lenders, and servicers.\n\nFinding(s):\n\n1.    Weak control environment for monitoring and oversight.\n2.    Insufficient control activities over monitoring of program reviews and technical assistance.\n3.    Lack of effective information and communication process related to policy issues.\n4.    Risk assessment tool not fully implemented.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2   Amend the Financial Partners\' mission statement to better emphasize compliance and\n      clarify the role of Financial Partners. Amend the functional statements for Financial\n      Partners and Program Compliance to establish clear lines of responsibility and authority for\n      oversight, monitoring, and compliance enforcement.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                        monitoring and oversight.\n\n1.4   Require Financial Partners to stop recording as lender program reviews, program reviews\n      that are actually only servicer reviews.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved reporting accuracy.\n\n\n\n\n7\n Financial Partners is the division within FSA that was responsible for the oversight of the FFEL program and its\nparticipants.\n\n\n                                                        46\n\x0c1.5   Develop a consistent policy for identifying, quantifying, and reporting all liabilities\n      identified in program reviews regardless of whether they are resolved.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                        reporting accuracy, enhanced reporting and recovery of improper\n                        payments or misused funds.\n\n1.6 Request an amendment to the FSA Chief Operating Officer delegation of authority for\n    waiving liabilities to include additional controls for monetary limitations and consultation\n    with other Department officials. Eliminate the re-delegation to the Financial Partners\'\n    General Manager, and include appropriate controls in a replacement re-delegation to the\n    appropriate Program Compliance Officer. Ensure that managers and staff know and\n    understand the delegation of authority for waiving liabilities.\n                 \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                 \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                 \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                 \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                      management effectiveness.\n\n1.7   Require the tracking and documentation of the reasons for waiving a liability when\n      exercising the waiver authority.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n2.1   Ensure that Financial Partners follows its procedures and guidance for its program review\n      process.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                      enhanced program effectiveness and compliance.\n\n2.2   Require Financial Partners to enhance and implement its guidance to include procedures\n      that address the program review weaknesses we identified.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                       enhanced program effectiveness and compliance.\n\n\n\n\n                                               47\n\x0c2.3   Require Financial Partners to enhance and implement its guidance to include procedures\n      that address the technical assistance weaknesses and provide oversight to the regions to\n      ensure that technical assistance is consistently provided and properly documented.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                        enhanced program effectiveness and compliance.\n\n2.4   Ensure that Financial Partners strengthens its program review process to ensure consistency\n      in the program review process and that program reviews are issued and closed within\n      established timeframes.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                       enhanced program effectiveness and compliance.\n\n2.5 Require Financial Partners to establish a quality assurance process that would ensure that\n    program reviews are conducted properly, that work papers support the conclusions reached\n    and findings are adequately documented.\n                 \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                 \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                 \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                 \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                     enhanced internal control.\n\n2.6   Require Financial Partners to establish a quality assurance process that would ensure the\n      quality and the adequacy of technical assistance.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved monitoring and oversight,\n                       enhanced internal control.\n\n3.1 Develop written policies and procedures for obtaining timely guidance for resolution of\n    program issues and for communicating the results and decisions.\n                \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                \xc2\xb7 Planned Completion Date \xe2\x80\x93 04/01/2008.\n                \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                    monitoring and oversight\n\n\n\n\n                                               48\n\x0c3.2 Develop written policies and procedures for regular review of program reviews and other\n    significant program determinations by the Office of General Counsel (OGC).\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                     monitoring and oversight.\n\n4.1 Require Financial Partners to develop written policies and procedures on the use of the\n    guaranty agency, lender, and servicer scorecards as a risk assessment tool and train users\n    on their use.\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, improved\n                    monitoring and oversight.\n\n\n\n\n                                              49\n\x0cReport Title:                Review of Department of Education\'s Online Privacy Policy\n                             and Protection of Sensitive Information\nIssue Date:                  9/29/2006\nReport Number:               A11G0004\nLink to Report:              Not posted, sensitive data\n\nObjective(s):\n\nThe objective of our audit was to assess the Department\xe2\x80\x99s compliance with OMB Memorandum\nM-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act,\nand OMB Memorandum M-06-16, Protection of Sensitive Agency Information.\n\nFinding(s):\n\n1.    The Department did not ensure compliance with privacy laws and guidance as specified in\n      the OMB and Department directives as they relate to establishing protection controls for\n      privacy information.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2   Update the Department\'s plans to ensure compliance with OMB Memorandum M-06-16.\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased compliance with laws and/or\n                     regulations; strengthen internal control.\n\n\n\n\n                                              50\n\x0cReport Title:                  Review of the Department\xe2\x80\x99s Incident Handling Program\n                               and Intrusion Detection System\nIssue Date:                    9/28/2006\nAudit Report Number:           A11G0001\nLink to Report:                Not posted, sensitive data\n\nObjective(s):\n\nOur objective was to evaluate the effectiveness of the Department\xe2\x80\x99s Incident Handling (IH)\nIntrusion Detection System (IDS) in identifying and responding to aggressive Internet-based\nattacks in accordance with FISMA.\n\nFinding(s):\n\n1.    The Department\xe2\x80\x99s incident handling program and intrusion detection system deployment\n      needs improvement.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Review security evaluations and correct the identified Domain Name System security\n      configuration weaknesses.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security, reduced risks.\n\n1.2   Develop and implement consistent enterprise IH event monitoring policies and procedures\n      that will define types of incidents, events, and appropriate actions to take; and, reinforce an\n      enterprise-wide communication channel between the Department- and FSA-managed IH\n      and IDS.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                    \xc2\xb7 Estimated Cost Savings - Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws, enhanced policies\n                        and procedures for safeguarding resources, improved communication.\n\n1.3   Ensure effective monitoring of the IDS console.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased system security.\n\n\n\n\n                                                 51\n\x0c1.4   Develop enterprise policies and procedures for IDS deployment, maintenance, evaluation,\n      and risk assessment.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced assessments of risk, ensure that\n                      personnel will effectively identify and respond to malicious activity.\n\n1.6   Ensure that clear and measurable service level agreements exist for outsourced IDS\n      management.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Establish measurable components of\n                       performance management.\n\n\n\n\n                                             52\n\x0cReport Title:                System Security Review of the Education Data Center\n                             for FY 2006\nIssue Date:                  9/28/2006\nReport Number:               A11G0002\nLink to Report:              Not posted, sensitive data\n\nObjective(s):\n\nThe audit objectives were to evaluate management, operational, and technical controls of the\nDepartment\xe2\x80\x99s system security program in accordance with FISMA.\n\nFinding(s):\n\n1.    Management controls need improvement.\n2.    Operational security controls need improvement.\n3.    Technical security controls need improvement.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2   Revise the Plan of Action and milestones for OMB Memorandum M-06-16 to meet all of\n      the security control requirements set forth in OMB\'s memo and weaknesses identified in\n      this report.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Compliance with laws and/or regulations.\n\n2.1 Correct the Education Data Center physical data center weaknesses.\n                 \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                 \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                 \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                 \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Physical data center protection,\n                    strengthened internal control.\n\n2.3   Establish policies and procedures to address identified tape handling control weaknesses.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved protective controls over mission\n                       critical and sensitive data.\n\n\n\n\n                                               53\n\x0c2.4   Establish and implement enterprise-wide technical security configuration standards for its\n      operating systems, database applications, web services applications, and network devices\n      based on industry security standards.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n2.7   Consider two-factor authentication as a means to strengthen user access controls.\n                  Status \xe2\x80\x93 Resolved.\n                  Planned Completion Date \xe2\x80\x93 6/30/2008.\n                  Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control.\n\n\n\n\n                                               54\n\x0cReport Title:                 The Reading First Program\xe2\x80\x99s Grant Application Process\nIssue Date:                   9/22/2006\nReport Number:                I13F0017 (Inspection Report)\nLink to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13f0017.pdf\n\nObjective(s):\n\nThe objectives of our inspection were to:\n\n1.    Determine if the Department selected the expert review panel in accordance with the\n      NCLB, Section 1203(c), and if the Department adequately screened the panel members for\n      possible conflict of interest issues;\n2.    Determine if the expert review panel adequately documented its reasons for stating that an\n      application was not ready for funding; and\n3.    Determine if the expert review panel reviewed the applications in accordance with\n      established criteria and applied the criteria consistently.\n\nFinding(s):\n\n1.    The Department did not select the expert review panel in compliance with the requirements\n      of NCLB.\n2.    While not required to screen for conflicts of interest, the screening process the Department\n      created was not effective.\n3.    The Department did not follow its own guidance for the peer review process.\n4.    The Department awarded grants to states without documentation that the subpanels\n      approved all criteria.\n5.    The Department included requirements in the criteria used by the expert review panels that\n      were not specifically addressed in NCLB.\n6.    In implementing the Reading First program, Department officials obscured the statutory\n      requirements of the Elementary and Secondary Education Act of 1965, as amended\n      (ESEA); acted in contravention of the Government Accountability Office Standards for\n      Internal Control in the Federal Government; and took actions that call into question\n      whether they violated the prohibitions included in the DEOA.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Develop internal management policies and procedures for the Office of Elementary and\n      Secondary Education (OESE) program offices that address when legal advice will be\n      solicited from the OGC and how discussions between OGC and the program staff will be\n      resolved to ensure that programs are managed in compliance with applicable laws and\n      regulations.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                       program effectiveness and compliance.\n\n\n                                                55\n\x0c1.2   Review the management and staff structure of the Reading First program office and make\n      changes, as appropriate, to ensure that the program is managed and implemented consistent\n      with the statutory requirements of NCLB.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance.\n\n6.2   Request that OGC develop guidance for OESE on the prohibitions imposed by \xc2\xa73403(b) of\n      the DEOA.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93Strengthened internal controls, enhanced\n                     program effectiveness and compliance.\n\n6.4   Rely upon the internal advisory committee to: (a) determine whether the implementation of\n      Reading First harmed the Federal interest and what course of action is required to resolve\n      any issues identified; and (b) ensure that future programs, including other programs for\n      which the Department is considering using Reading First as a model, have internal controls\n      in place to prevent similar problems from occurring.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance.\n\n6.5   Convene a discussion with a broad range of state and local education representatives to\n      discuss issues with Reading First as part of the reauthorization process.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance.\n\n\n\n\n                                               56\n\x0cReport Title:                 Telecommunications Billing Accuracy\nIssue Date:                   2/01/2006\nReport Number:                A19F0009\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19f0009.pdf\n\nObjective(s):\n\nThe objective of our audit was to determine the effectiveness of the Department\xe2\x80\x99s validation of\nthe billing accuracy for its telecommunications services.\n\nFinding(s):\n\n1.    The Office of the Chief Information Officer needs to improve internal control over\n      telecommunications billings.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2   Based on the risk assessment conducted for Recommendation 1.1, allocate adequate\n      staffing to the Telecom Services Group to establish appropriate internal control and allow\n      effective management of telecommunications services and expenditures.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 9/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                        management effectiveness.\n\n1.4   Ensure Telecommunications Automated Tracking System (TATS) or other appropriate\n      information technology resources are fully developed and operational to assist in the\n      management of telecommunications services.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 8/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, and\n                      enhanced monitoring and oversight.\n\n1.6   Ensure telephone lines are disconnected timely when staff move. Take immediate action to\n      correct issues noted during our audit \xe2\x80\x93 disconnect/discontinue services identified as not\n      necessary, and update records to correctly identify holders of wireless services.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 2/28/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, better use\n                       of resources, enhanced management effectiveness.\n\n\n\n\n                                               57\n\x0c1.7   Ensure Department policies and the TATS user manual accurately reflect information\n      regarding what is accessible to POs within the TATS application to effectively monitor\n      telecommunications costs.\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 3/30/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, and\n                      enhanced monitoring and oversight.\n\n\n\n\n                                             58\n\x0cReport Title:                  Audit of the Department\xe2\x80\x99s IT Contingency Planning Program\n                               \xe2\x80\x93 Asset Classification\nIssue Date:                    1/31/2006\nReport Number:                 A11F0006\nLink to Report:                Not posted, sensitive data\n\nObjective(s):\n\nThe objective of our audit was to evaluate the Department\xe2\x80\x99s process for categorization of\ninformation and information systems to determine whether the categories are properly assigned\nto ensure continuity of operations.\n\nFinding(s):\n1.    Identification and classification activities inconsistently categorize IT assets and do not\n      effectively ensure continuity of operations.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Establish a fully integrated process to identify and classify information resources, ensuring\n      that Department asset identification and valuation activities are conducted as an integral\n      part of Enterprise Architecture activities, and classifications support broad decision making\n      throughout the asset\'s full life cycle (i.e. ratings meet the needs of all management\n      components that make use of such data).\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control over\n                        resources, increased oversight coordination regarding inventory\n                        development and classification of assets.\n\n1.2   Establish effective oversight controls (e.g., accountability for monitoring, coordination and\n      validation) to ensure that established procedures and guidance are followed; a reliable\n      system of record for the Department\'s portfolio/inventory of IT assets is established, and\n      listing and classifications to date are validated; and assets are reliably identified and\n      classified over time and across the agency as a whole.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced resource management;\n                        complete and consistent accounting and rating of Department IT assets.\n\n\n\n\n                                                 59\n\x0c1.3   Modify official guidance (i.e., ACS directives) to ensure that Department guidance is\n      consistent with federal guidelines and fully documents an integrated and repeatable process\n      to identify, define and classify/categorize assets and subcomponents; and Department\n      guidance includes categories and ratings that offer sufficient differentiation to support their\n      intended use, and logical mapping across rating definitions, where pertinent.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved guidance for providing\n                        enterprise-wide validation and verification of various classification results.\n\n1.4   Provide training to ensure consistency in the application of the Department\'s guidance.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 06/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased protection of Department assets.\n\n\n\n\n                                                 60\n\x0cReport Title:                 Department\xe2\x80\x99s Activities Relating\n                              to Consolidating Funds in Schoolwide Programs Provisions\nIssue Date:                   12/29/2005\nReport Number:                A07F0014\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a07f0014.pdf\n\nObjective(s):\n\nThe objectives of our audit were to determine what the Department has done to assist state\neducational agencies (SEA) in modifying or eliminating state fiscal and accounting barriers to\nconsolidating funds and encouraging schools to consolidate funds in their schoolwide programs,\nand what the Department could do to further assist SEAs in these two areas.\n\nFinding(s):\n\n1.    The Department could do more to support SEAs in fulfilling their responsibilities under the\n      schoolwide consolidating funds provisions by publishing the guidance on schoolwide\n      programs it promised in the July 2, 2004, notice in the Federal Register.\n2.    Even though Department site-visitors have found that SEAs generally have not encouraged\n      Local Educational Agencies (LEAs) and schools to consolidate funds in their schoolwide\n      programs, they have not included these findings in site-visit reports.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Require the Director of Student Achievement and School Accountability Programs to\n      ensure that her staff develop and issue guidance on consolidating federal, state, and local\n      funds in schoolwide programs that would include: (1) options on consolidating funds that\n      would best accommodate federal programmatic and reporting requirements; and (2)\n      information about the potential advantages of consolidating funds.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                        program effectiveness and compliance.\n\n1.2   Require the Director of Student Achievement and School Accountability Programs to\n      ensure that her staff, as part of developing new guidance on consolidating funds, meet with\n      officials from the three SEAs that we found to have developed the most extensive guidance\n      on consolidating funds in order to ensure that the Department\'s guidance in this area takes\n      advantage of the most promising practices, and learn what SEAs perceive to be federal\n      barriers to consolidating funds.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                        program effectiveness and compliance.\n\n\n                                               61\n\x0c2.1   Require the Director of Student Achievement and School Accountability Programs to\n      ensure that her staff follow the Department\'s current SEA monitoring procedures with\n      respect to the consolidating funds responsibilities of SEAs.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved monitoring and oversight.\n\n2.2   Require the Director of Student Achievement and School Accountability Programs to\n      ensure that her staff include in reports for SEA program reviews findings, and\n      recommendations for corrective action, regarding any failures on the part of SEAs to fulfill\n      their responsibilities under the provisions in the ESEA, Title I, Part A, \xc2\xa7\xc2\xa7 1111(c) (9) and\n      (10).\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved reporting, monitoring, and oversight\n\n\n\n\n                                                62\n\x0cReport Title:                 Death and Total and Permanent Disability Discharges of FFEL\n                              and Direct Loan Program Loans\nIssue Date:                   11/14/2005\nReport Number:                A04E0006\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a04e0006.pdf\n\nObjective(s):\n\nThe objective of our audit was to determine whether FSA has implemented effective policies,\nprocedures, and internal controls over the process for discharging William D. Ford Federal\nDirect Loan and FFEL program loans, based on the death or total and permanent disability of the\nborrower.\n\nFinding(s):\n\n1.    The regulatory three-year conditional discharge period is inadequate for determining\n      eligibility of all borrowers.\n2.    Regulations that excuse a borrower from paying interest should be reconsidered.\n3.    FSA did not update National Student Loan Data System, as required.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n2.1   Revise the Department\'s regulations to ensure that, if a borrower\'s loans are reinstated from\n      a conditional discharge status, the borrower is required to pay any interest that accrued on\n      his or her loans through the end of the conditional discharge.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 03/31/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness,\n                        increased recovery of interest accrued.\n\n\n\n\n                                                63\n\x0cReport Title:                 Review of the Department\'s Incident Handling Program and\n                              EDNet Security Controls\nIssue Date:                   10/06/2005\nReport Number:                A11F0002\nLink to Report:               Not posted, sensitive data\n\nObjective(s):\n\nOur audit objectives were to evaluate the effectiveness of the Department\xe2\x80\x99s IH Program to\nidentify and respond to aggressive Internet based attacks against mission critical systems residing\nat Education data centers, and evaluate platform level security controls of select systems residing\non the EDNet in accordance FISMA.\n\nFinding(s):\n\n1.    The IH program needs improvement.\n2.    EDNet configuration management controls need improvement.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Review existing remote data center contracts and require contracts to be modified to ensure\n      that contractors and sub-contractors comply with and follow Department policies and\n      procedures for reporting all computer security incidents per Department policy.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 02/29/2008.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Improved compliance with laws and/or\n                        regulations.\n\n1.3   Implement comprehensive IDS and IH policies and procedures to promptly and effectively\n      detect, respond, and report malicious scans and covert attacks from internal and external\n      sources.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 3/31/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased systems security, reduced risk.\n\n1.7   Communicate the Department\'s ACS Handbook for Information Security Incident\n      Response and Reporting Procedures, to the remote data centers to clearly define who will\n      perform forensic analysis in the event of a system compromise.\n                  \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 3/31/2008.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control over\n                      resources/actions.\n\n\n                                                64\n\x0c1.8   Develop clear policies and procedures within the ACS Handbook for Information Security\n      Incident Response and Reporting Procedures, to ensure that sensitive information\n      regarding computer security incidents is encrypted before being transmitted within the\n      Department and to outside organizations.\n                   \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 6/30/2008.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, increased\n                      system security.\n\n\n\n\n                                             65\n\x0cReport Title:                 Review of Department Identified Contracts and Grants for\n                              Public Relations Services\nIssue Date:                   9/01/2005\nReport Number:                I13F0012 (Inspection Report)\nLink to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13f0012.pdf\n\nObjective(s):\n\nThe objective of our inspection was to determine whether any of 35 Department-identified\ncontracts and grants resulted in publicity or propaganda paid with appropriated funds.\n\nFinding(s):\n\n1.    Department contract and grant personnel did not understand their responsibilities with\n      regard to the prohibition on the use of appropriated funds for publicity or propaganda.\n2.    Contract and grant files were incomplete and lacked documentation of deliverables.\n3.    Grants that resulted in materials that may have been publications did not include the\n      Education Department General Administrative Regulations (EDGAR) disclaimer.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Ensure that Department grant and contract personnel understand the prohibition on the use\n      of appropriated funds for publicity or propaganda and ensure that this information is\n      communicated to grantees.\n                   \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                   \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                   \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                   \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                       compliance, improved monitoring and oversight.\n\n1.2   Ensure that contract and grant personnel understand when disclosure of the Department\'s\n      role is required and ensure that the language is included in contracts as appropriate, and\n      that the EDGAR requirements are clearly communicated to grantees.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved monitoring and oversight.\n\n\n\n\n                                                66\n\x0c2.1   Monitor contracts and grants and ensure that files are complete and appropriately\n      documented. For contracts, files should also include proof of production of the\n      deliverables.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                      compliance, improved monitoring and oversight.\n\n2.2   Obtain copies of the contract deliverables not available for our review, determine if there\n      were any violations of the covert propaganda prohibition, and report any resulting\n      violations of the Antideficiency Act to the President, Congress, and the Comptroller General\n      in accordance with the instructions of OMB Circular A-11. In the review of these\n      deliverables the Department should also assess compliance with 48 C.F.R. \xc2\xa7 3452.227-70,\n      as appropriate.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved reporting, monitoring, and oversight.\n\n3.1   Determine the amount of improper expenditures associated with the publication of opinion-\n      editorial pieces under the grants identified in our review and initiate a recovery action for\n      the unallowable use of funds.\n                    \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation includes\n                        determining the amount of any improper expenditures.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                        compliance, improved monitoring and oversight.\n\n3.2   Review the materials produced under the grants identified in our review to determine if the\n      items without EDGAR disclaimers were publications. If so, determine the amount of\n      improper expenditures and, if appropriate, initiate a recovery action for the unallowable use\n      of funds.\n                  \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                  \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                  \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation includes\n                      determining the amount of any improper expenditures.\n                  \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced program effectiveness and\n                      compliance.\n\n\n\n\n                                                67\n\x0cReport Title:                 Departmental Actions to Ensure Charter Schools\xe2\x80\x99 Access to\n                              Title I and Individuals with Disabilities Education Act, Part B\n                              Funds\nIssue Date:                   10/26/2004\nReport Number:                A09E0014\nLink to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a09e0014.pdf\n\nObjective(s):\n\nThe objective of the audit was to determine whether the Department has taken sufficient action to\nensure that states and LEAs within those states provide new or expanding charter schools with\ntimely and meaningful information about the ESEA Title I and Individuals with Disabilities\nEducation Act (IDEA), Part B funds for which these schools may be eligible, and have\nmanagement controls that ensure charter schools, including new or expanding charter schools, are\nallocated the proportionate amount of Title I and IDEA Part B funds for which these schools are\neligible.\n\nFinding(s):\n\n1.    The Department should identify the cognizant program office(s) responsible for oversight\n      of SEA compliance with the ESEA \xc2\xa7 5206 provisions.\n2.    The Department should issue guidance on the need for SEA and LEA notification\n      procedures for expanding charter schools.\n3.    The Department should enhance Title I and IDEA Part B monitoring procedures to ensure\n      new or expanding charter school LEAs and charter schools receive proportionate and\n      timely access to Federal funds.\n4.    The Office of Special Education and Rehabilitative Services should consider issuing\n      guidance on the application of the IDEA Part B funding formula for charter school LEAs\n      that did not have a student with disabilities enrolled in the first year of operation.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n2.1   Direct the appropriate program office(s) to provide guidance to SEAs on the need to\n      establish written procedures on SEA or LEA notification requirements and the definition of\n      "significant expansion of enrollment." The guidance should instruct SEAs to annually\n      distribute this information to all charter schools, charter authorizers, and LEAs, to ensure\n      that they are aware of the requirements and their respective responsibilities.\n                    \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                    \xc2\xb7 Planned Completion Date \xe2\x80\x93 12/31/2007.\n                    \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                    \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Strengthened internal control, enhanced\n                         program effectiveness and compliance.\n\n\n\n\n                                                68\n\x0cReport Title:                      FSA Audits on Administrative Stay\nIssue Date:                        5/04/2004\nReport Number:                     L19E0008 (Alert Memorandum)\n\nObjective(s):\n\nThe purpose of this alert memorandum is to inform the Department of concerns relating to FSA\naudits on administrative stay.\n\nFinding(s):\n\n      1.      FSA placed 13 audits on administrative stay for excessive periods of time.\n      2.      FSA did not follow Department guidelines for its use of administrative stays.\n      3.      FSA did not maintain appropriate documentation of the audit resolution process.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.2        Ensure the two professional judgment audits, and the prior professional judgment audit, are\n           promptly resolved as soon as a decision is received from the Secretary.\n                        \xc2\xb7 Status \xe2\x80\x93 Unresolved.\n                        \xc2\xb7 Planned Completion Date \xe2\x80\x93 Not applicable, unresolved.\n                        \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not applicable, non-monetary recommendation.\n                        \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Enhanced monitoring and compliance.\n\nDepartment Explanation of Any Delays in Implementing Recommendations:\n\nThe prior professional judgment audit has been remanded to the Office of Hearings and Appeals\nfor further review. FSA will resolve the audits as soon as a final decision is made on the case.\n\n\n\n\n                                                    69\n\x0cReport Title:                Contract Unliquidated Balances Converted From Department\n                             of Education\xe2\x80\x99s Payment Management System\nIssue Date:                  8/29/2002\nReport Number:               L07C0020 (Alert Memorandum)\n\nObjective(s):\n\nThe purpose of this memorandum is to alert OCFO to an issue we identified concerning the\nconversion of unliquidated contract obligations from Education Payment Management System\n(EDPMS) to the Education Central Automated Processing System (EDCAPS). The net\nunliquidated balances converted to EDCAPS may have been were significantly overstated upon\nconversion and determination of the actual amount paid under those contracts may require\nextensive research and reconciliation.\n\nFinding(s):\n\n1.    Conversion of unliquidated contract balances from EDPMS to EDCAPS.\n\nRecommendation(s) Not Yet Implemented by the Department:\n\n1.1   Reconcile the actual payments made to total contract expenditures for the 11 contracts\n      listed in the alert memo prior to contract closeout. Ensure that the reconciliation process\n      for these contracts includes reviewing potentially overstated unliquidated obligations\n      converted from EDPMS to EDCAPS.\n                     \xc2\xb7 Status \xe2\x80\x93 Resolved.\n                     \xc2\xb7 Planned Completion Date \xe2\x80\x93 01/30/2008.\n                     \xc2\xb7 Estimated Cost Savings \xe2\x80\x93 Not quantified. Implementation includes\n                         determining the amount of any overstated obligations.\n                     \xc2\xb7 Other Non-monetary Benefits \xe2\x80\x93 Increased data reliability/accuracy, strengthened\n                         internal control.\n\n\n\n\n                                               70\n\x0c             Appendix A - Acronym Listing\n\nAARTS        Audit Accountability and Resolution Tracking System\nACS          Administrative Communications System\nC&A          Certification and Accreditation\nCAM          Contracts and Acquisitions Management\nCFO          Chief Financial Officer\nCIO          Chief Information Officer\nCO           Contracting Officer\nCOD          Common Origination and Disbursement\nCOO          Chief Operating Officer\nCOR          Contracting Officer\xe2\x80\x99s Representative\nCPIC         Capital Planning and Investment Control\nDepartment   U.S. Department of Education\nDEOA         Department of Education Organization Act\nEDCAPS       Education Central Automated Processing System\nEDGAR        Education Department General Administrative Regulations\nEDNet        Department\xe2\x80\x99s computer network system\nEDPMS        Education Payment Management System\nEIA          Temporary Emergency Impact Aid\nESEA         Elementary and Secondary Education Act\nEVMS         Earned Value Management System\nFAFSA        Free Application for Federal Student Aid\nFFEL         Federal Family Education Loan\nFIE          Fund for the Improvement of Education\nFIPSE        Fund for the Improvement of Postsecondary Education\nFISMA        Federal Information Security Management Act\nFMSS         Financial Management Support System\nFSA          Federal Student Aid\nGPOS         Grants Policy and Oversight Staff\nHEA          Higher Education Act of 1965, as amended\nIAMS         Investment Acquisition Management Services\nIDEA         Individuals with Disabilities Education Act\nIDS          Intrusion Detection System\nIH           Incident Handling\nIP           Internet Protocol\nIPS          Intrusion Prevention System\nIT           Information Technology\nIV&V         Independent Verification & Validation\nLEA          Local Educational Agency\nLDE          Louisiana Department of Education\nMRC          Modified Repeat Condition\nMEO          Most Effective Organization\nNCLB         No Child Left Behind Act of 2001\nNIST         National Institute of Standards and Technology\n\x0cOCFO   Office of the Chief Financial Officer\nOESE   Office of Elementary and Secondary Education\nOGC    Office of General Counsel\nOIG    Office of Inspector General\nOMB    Office of Management and Budget\nOPE    Office of Postsecondary Education\nPII    Personally Identifiable Information\nPO     Principal Office\nRLA    Reading Leadership Academies\nSEA    State Educational Agency\nSLM    Student Loan Model\nTATS   Telecommunications Automated Tracking System\nTEA    Texas Education Agency\nVIDE   Virgin Island Department of Education\n\x0c         Appendix B\n\nRequest from Chairman Waxman\n\x0c\x0c\x0c'